Student Nils Kenneweg had discovered that the pages of the American Express web site did not adequately filter data passed to a search function, thereby allowing direct access to the database server. He sent a message about this SQL injection problem to the heise Security team, who were able to reproduce it; the information was then passed on to American Express.

The company reacted quickly and fixed the vulnerability within a few days. It stated that the vulnerability had not been used and no customer data had been compromised. Some doubt exists about this statement, however, since SQL injection frequently allows access to all of an affected system’s data, and tables with names like “Accounts” often show up in SQL statements.